Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
66s -
max time network
126s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
28/05/2021, 17:48 UTC
Static task
static1
Behavioral task
behavioral1
Sample
sample.exe
Resource
win7v20210410
windows7_x64
0 signatures
0 seconds
Behavioral task
behavioral2
Sample
sample.exe
Resource
win10v20210410
windows10_x64
0 signatures
0 seconds
General
-
Target
sample.exe
-
Size
1.3MB
-
MD5
0e64acab6fb3d50aaebc17e6dfb2d289
-
SHA1
c5c672a4a8ebae04cf7471c56136dce58ccd88f0
-
SHA256
cd19340138f9eab48d20b3bf0a9dc6b4a6908d14cd48511ccefd6dba9e84705f
-
SHA512
e797d31d7355d1f222a444fa934599582ffd9593185668382b9ad05ade1086d152f342305fb1b734a4cc0f691b2b4ba70fd8f183f77aa3f6f775a470fb4e7013
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\Decrypt-me.txt
Ransom Note
All Your Files Has Been Encrypted
You Have to Pay to Get Your Files Back
1-Go to C:\ProgramData\ folder and send us prvkey*.txt.key file , * might be a number (like this : prvkey3.txt.key)
2-You can send some file little than 1mb for Decryption test to trust us But the test File should not contain valuable data
3-Payment should be with Bitcoin
4-Changing Windows without saving prvkey.txt.key file will cause permanete Data loss
Our Email:poker021@mailfence.com
in Case of no Answer:poker021@tutanota.com
Emails
Email:poker021@mailfence.com
Answer:poker021@tutanota.com
Signatures
-
Drops file in Drivers directory 9 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\drivers\gmreadme.txt sample.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\bfe.dll.mui sample.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\ndiscap.sys.mui sample.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\pacer.sys.mui sample.exe File opened for modification C:\Windows\SysWOW64\drivers\gm.dls sample.exe File opened for modification C:\Windows\SysWOW64\drivers\wimmount.sys sample.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\qwavedrv.sys.mui sample.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\scfilter.sys.mui sample.exe File opened for modification C:\Windows\SysWOW64\drivers\en-US\tcpip.sys.mui sample.exe -
Modifies Windows Firewall 1 TTPs
-
Drops startup file 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini sample.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Drops desktop.ini file(s) 64 IoCs
description ioc Process File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini sample.exe File opened for modification C:\Windows\Fonts\desktop.ini sample.exe File opened for modification C:\Windows\Media\Quirky\Desktop.ini sample.exe File opened for modification C:\Windows\Media\Sonata\Desktop.ini sample.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini sample.exe File opened for modification C:\Users\Admin\Favorites\Links\desktop.ini sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini sample.exe File opened for modification C:\Users\Public\Desktop\desktop.ini sample.exe File opened for modification C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini sample.exe File created C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini sample.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Libraries\desktop.ini sample.exe File opened for modification C:\Users\Public\Pictures\desktop.ini sample.exe File opened for modification C:\Users\Public\Documents\desktop.ini sample.exe File opened for modification C:\Windows\Media\Savanna\Desktop.ini sample.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini sample.exe File opened for modification C:\Program Files\desktop.ini sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini sample.exe File opened for modification C:\Windows\ServiceProfiles\NetworkService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\Stationery\Desktop.ini sample.exe File opened for modification C:\Users\Admin\Videos\desktop.ini sample.exe File opened for modification C:\Users\Public\Recorded TV\desktop.ini sample.exe File opened for modification C:\Windows\Media\Cityscape\Desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\desktop.ini sample.exe File opened for modification C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\MLS6OOW4\desktop.ini sample.exe File opened for modification C:\Windows\Media\Raga\Desktop.ini sample.exe File created C:\$Recycle.Bin\S-1-5-21-2513283230-931923277-594887482-1000\desktop.ini sample.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini sample.exe File opened for modification C:\Windows\Downloaded Program Files\desktop.ini sample.exe File opened for modification C:\Windows\Media\Garden\Desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini sample.exe File opened for modification C:\Windows\Media\Heritage\Desktop.ini sample.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini sample.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini sample.exe File opened for modification C:\Users\Admin\Favorites\Links for United States\desktop.ini sample.exe File opened for modification C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini sample.exe File opened for modification C:\ProgramData\Microsoft\Windows\Ringtones\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini sample.exe File opened for modification C:\Users\Admin\Cookies\desktop.ini sample.exe File opened for modification C:\Users\Admin\Desktop\desktop.ini sample.exe File created C:\Program Files\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini sample.exe File opened for modification C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini sample.exe File opened for modification C:\Windows\Media\Landscape\Desktop.ini sample.exe File opened for modification C:\Users\Public\Music\desktop.ini sample.exe File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini sample.exe File opened for modification C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini sample.exe File opened for modification C:\Program Files (x86)\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini sample.exe File opened for modification C:\Windows\Web\Wallpaper\Nature\Desktop.ini sample.exe File opened for modification C:\Windows\Web\Wallpaper\Scenes\Desktop.ini sample.exe File created C:\Program Files (x86)\desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\93PHUZFG\desktop.ini sample.exe File opened for modification C:\Users\Public\Recorded TV\Sample Media\desktop.ini sample.exe File opened for modification C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini sample.exe File opened for modification C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini sample.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\KBDUKX.DLL sample.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~pt-BR~7.1.7601.16492.cat sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64\CNB_0295.GPD sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVPZ1.INI sample.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\Schemas\PSMaml\task.xsd sample.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~he-IL~7.1.7601.16492.cat sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnbr003.inf_amd64_neutral_dff45d1d0df04caf\Amd64\BRQL57.GPD sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt002.inf_amd64_neutral_df2060d80de9ff13\Amd64\GS3350B.GPD sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnnr002.inf_amd64_neutral_37896c5e81c8d488\Amd64\NRC6000.GPD sample.exe File opened for modification C:\Windows\SysWOW64\hr-HR\comctl32.dll.mui sample.exe File opened for modification C:\Windows\SysWOW64\spp\tokens\channels\OCUR\Security-SPP-Component-SKU-OCUR-RETAIL1-pl.xrm-ms sample.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-UIAnimation-WinIP-Package~31bf3856ad364e35~amd64~ar-SA~7.1.7601.16492.cat sample.exe File opened for modification C:\Windows\System32\DriverStore\en-US\brmfcmdm.inf_loc sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00g.inf_amd64_neutral_2926840e245f88f6\Amd64\EP0NGL8R.GPD sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnin004.inf_amd64_neutral_c8902ae660ab1360\Amd64\IF1371E3.PPD sample.exe File opened for modification C:\Windows\SysWOW64\devrtl.dll sample.exe File opened for modification C:\Windows\SysWOW64\hdwwiz.exe sample.exe File opened for modification C:\Windows\SysWOW64\WMVCORE.DLL sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep004.inf_amd64_neutral_63b22bfb6b93eaba\Amd64\EP7MDL15.GPD sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnkm002.inf_amd64_neutral_7c42808e24ebff99\Amd64\KOC20PPU.PPD sample.exe File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-IIS-HttpRedirect-Deployment-DL.man sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00c.inf_amd64_neutral_510c36849918ce92\Amd64\CNB_0317.DLL sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prngt004.inf_amd64_neutral_f5bf8a7ba9dfff55\Amd64\GS1433E3.PPD sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wceisvista.inf_amd64_neutral_3500779911f7f3ca\wceisvista.PNF sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiaca00b.inf_amd64_neutral_1aaa057d3d52ea43\CNHI08A.DLL sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\wiasa002.inf_amd64_neutral_6429a42f1243419a\SA4500.icc sample.exe File opened for modification C:\Windows\SysWOW64\NOISE.CHT sample.exe File opened for modification C:\Windows\SysWOW64\powercpl.dll sample.exe File opened for modification C:\Windows\SysWOW64\en-US\wevtutil.exe.mui sample.exe File opened for modification C:\Windows\SysWOW64\MRINFO.EXE sample.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-PowerShell-Client-WTR-Package~31bf3856ad364e35~amd64~~7.2.7601.16406.cat sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmmoto1.inf_amd64_neutral_bf4b404852955eb4\mdmmoto1.PNF sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00h.inf_amd64_neutral_96a8e38189e54d71\Amd64\CNB_0301.GPD sample.exe File opened for modification C:\Windows\SysWOW64\en-US\chkdsk.exe.mui sample.exe File opened for modification C:\Windows\SysWOW64\en-US\vaultsvc.dll.mui sample.exe File opened for modification C:\Windows\SysWOW64\migration\en-US\SxsMigPlugin.dll.mui sample.exe File opened for modification C:\Windows\SysWOW64\ir41_32.ax sample.exe File opened for modification C:\Windows\SysWOW64\usbui.dll sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\igdlh.inf_amd64_neutral_54a12b57f547d08e\igdumd64.dll sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnep00l.inf_amd64_neutral_f1fa021d2221e2c7\Amd64\EP0LVR10.DLL sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpc5300t.vdf sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp004.inf_amd64_neutral_53f688945cfc24cc\Amd64\hpD5400t.vdf sample.exe File opened for modification C:\Windows\SysWOW64\XpsRasterService.dll sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp002.inf_amd64_neutral_04d05d1f6a90ea24\Amd64\HPZ6CWN7.INI sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnhp003.inf_amd64_neutral_4480210763997eb4\Amd64\hpj6400t.xml sample.exe File opened for modification C:\Windows\SysWOW64\en-US\cmcfg32.dll.mui sample.exe File opened for modification C:\Windows\SysWOW64\wbem\wbemprox.dll sample.exe File opened for modification C:\Windows\SysWOW64\WindowsPowerShell\v1.0\HelpV3.format.ps1xml sample.exe File opened for modification C:\Windows\SysWOW64\prvdmofcomp.dll sample.exe File opened for modification C:\Windows\SysWOW64\en-US\rpcrt4.dll.mui sample.exe File opened for modification C:\Windows\System32\catroot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Win8IP-Microsoft-Windows-Graphics-Package~31bf3856ad364e35~amd64~he-IL~7.1.7601.16492.cat sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\mdmar1.inf_amd64_neutral_b8ebf59556c3dbf0\mdmar1.inf sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\net1qx64.inf_amd64_neutral_85d10fa4c777b7be\net1qx64.PNF sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnlx00b.inf_amd64_neutral_89b555703683b583\Amd64\LXT650.GPD sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smpicfg3.ini sample.exe File opened for modification C:\Windows\SysWOW64\en-US\polstore.dll.mui sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00e.inf_amd64_neutral_651eeed98428be5e\Amd64\CNBP_297.DLL sample.exe File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\Microsoft-Windows-NetworkBridge-DL.man sample.exe File opened for modification C:\Windows\System32\DriverStore\en-US\lsi_scsi.inf_loc sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnca00g.inf_amd64_neutral_6f76b14b2912fa55\Amd64\CNB_0281.DLL sample.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\prnsa002.inf_amd64_neutral_d9df1d04d8cbe336\Amd64\smc770u.xml sample.exe File opened for modification C:\Windows\SysWOW64\migwiz\dlmanifests\MediaServer-Multicast-Migration-DL.man sample.exe File opened for modification C:\Windows\SysWOW64\wbem\portabledeviceapi.mof sample.exe File opened for modification C:\Windows\SysWOW64\wbem\WsmAgent.mof sample.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.historicaldata.ja_5.5.0.165303.jar.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0099196.GIF.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH01179J.JPG.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.p2.extensionlocation.nl_zh_4.4.0.v20140623020002.jar.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\locale\co\LC_MESSAGES\vlc.mo sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PROOF\MSHY7EN.LEX sample.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\BULLETS\BD14514_.GIF.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\bin\j2pcsc.dll sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\include\win32\bridge\AccessBridgeCalls.c.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.console.ui.mbeanbrowser.zh_CN_5.5.0.165303.jar sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Atlantic\Faroe sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libcaf_plugin.dll sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0313965.JPG sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PSSKETLG.WMF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PEOPLEDATAHANDLER.DLL sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms5\FormsViewAttachmentIconsMask.bmp sample.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0102984.WMF.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0105266.WMF.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\Publisher\Backgrounds\WB02077_.GIF.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.e4.ui.widgets.nl_ja_4.4.0.v20140623020002.jar sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.browser.attach_5.5.0.165303.jar.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\images\rss_headline_glow_floating.png sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\btn_search_up_BIDI.png sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Tracker\trash.gif sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Kamchatka.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\1033\MSACCESS.DEV.HXS.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files\7-Zip\Lang\uz.txt.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\plugins\demux\libsid_plugin.dll sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\modules\locale\org-netbeans-swing-plaf_ja.jar.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Templates\1033\Access\Part\Contacts.accdt sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\com.jrockit.mc.common_5.5.0.165303.jar.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files\Java\jre7\lib\ext\dnsns.jar.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PE02120_.WMF.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\bin\jp2ssv.dll.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files\VideoLAN\VLC\lua\http\images\buttons.png.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRdIF.dll.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\OUTLMIME.DLL sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\grayStateIcon.png sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\dark\e4-dark_partstyle.css sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\ink\TabTip32.exe sample.exe File opened for modification C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\INDUST\PREVIEW.GIF sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\CONVERT\DELIMDOS.FAE sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN092.XML sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\SO01236_.WMF.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File created C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.frameworkadmin.equinox.nl_ja_4.4.0.v20140623020002.jar.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-application.xml.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\26.png sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\ADDINS\MSVCR71.DLL.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DD01180_.WMF.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\jre\lib\jce.jar.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-core.xml sample.exe File opened for modification C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\42.png sample.exe File created C:\Program Files (x86)\Microsoft Office\MEDIA\OFFICE14\LINES\BD14996_.GIF.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files\DVD Maker\Shared\DvdStyles\rectangle_photo_Thumbnail.bmp sample.exe File opened for modification C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.feature_3.9.0.v20140827-1444\META-INF\MANIFEST.MF sample.exe File created C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\Etc\GMT.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files\Java\jre7\lib\zi\Asia\Brunei sample.exe File opened for modification C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\images\reveal_rest.png sample.exe File created C:\Program Files\Mozilla Firefox\xul.dll.sig.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\PH03224I.JPG sample.exe File created C:\Program Files\VideoLAN\VLC\plugins\video_chroma\libi420_rgb_plugin.dll.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BrightOrange\BUTTON.GIF sample.exe File created C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\J0216612.WMF.[poker021@mailfence.com][MJ-UG7304985126].poker sample.exe File opened for modification C:\Program Files\Common Files\System\msadc\en-US\msdaremr.dll.mui sample.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\servicing\Packages\Package_1_for_KB4019990~31bf3856ad364e35~amd64~~6.1.1.2.mum sample.exe File opened for modification C:\Windows\servicing\Packages\Package_310_for_KB3109118~31bf3856ad364e35~amd64~~6.1.4.0.mum sample.exe File opened for modification C:\Windows\servicing\Editions\HomePremiumEdition.xml sample.exe File opened for modification C:\Windows\inf\prnkm002.inf sample.exe File opened for modification C:\Windows\inf\wiaca00b.inf sample.exe File opened for modification C:\Windows\inf\.NET Memory Cache 4.0\0009\netmemorycache.ini sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\1036\SetupResources.dll sample.exe File opened for modification C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\AU-wp6.jpg sample.exe File opened for modification C:\Windows\Media\Festival\Windows Error.wav sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\SMSvcHost.exe sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\normnfc.nlp sample.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-RDC-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\adonetdiag.mof sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Wizard\App_LocalResources\wizardCreateRoles.ascx.resx sample.exe File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~da-DK~7.1.7601.16492.cat sample.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Linq.Queryable\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Linq.Queryable.dll sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.EnterpriseServices.Wrapper.dll sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\ASP.NETWebAdminFiles\Images\image2.gif sample.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~th-TH~7.1.7601.16492.mum sample.exe File opened for modification C:\Windows\servicing\Packages\Package_419_for_KB3109118~31bf3856ad364e35~amd64~~6.1.4.0.cat sample.exe File opened for modification C:\Windows\servicing\Packages\Package_for_KB3109118_SP1_GM~31bf3856ad364e35~amd64~~6.1.4.0.mum sample.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\System.IdentityModel\9b1d7533105a793af14b7b51cd5443af\System.IdentityModel.ni.dll sample.exe File opened for modification C:\Windows\inf\ts_wpdmtp.inf sample.exe File opened for modification C:\Windows\Installer\fb5e.msi sample.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.Win32.Primitives\v4.0_4.0.0.0__b03f5f7f11d50a3a\Microsoft.Win32.Primitives.dll sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\clrcompression.dll sample.exe File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Windows-WinIP-Package~31bf3856ad364e35~amd64~hu-HU~7.1.7601.16492.mum sample.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Web.4961ff77#\28b0b7573c3bdbc27187e3dbc4f1f1ff\System.Web.Entity.Design.ni.dll sample.exe File opened for modification C:\Windows\inf\bthprint.inf sample.exe File opened for modification C:\Windows\inf\prnrc005.PNF sample.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-InternetExplorer-Package~31bf3856ad364e35~amd64~en-US~11.2.9600.16428.mum sample.exe File opened for modification C:\Windows\AppPatch\AppPatch64\sysmain.sdb sample.exe File opened for modification C:\Windows\Media\Garden\Windows Hardware Insert.wav sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationHostDLL.dll sample.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package-MiniLP~31bf3856ad364e35~amd64~fi-FI~7.1.7601.16492.cat sample.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-PlatformUpdate-Win7-SRV08R2-Package~31bf3856ad364e35~amd64~fi-FI~7.1.7601.16492.cat sample.exe File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-Multimedia-Package~31bf3856ad364e35~amd64~es-ES~7.1.7601.16492.mum sample.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_64\System.Draw0a54d252#\ef31f92d5ee5c2a437add4506830d025\System.Drawing.Design.ni.dll.aux sample.exe File opened for modification C:\Windows\assembly\NativeImages_v4.0.30319_32\System.Xml.Linq\f68563fb25af65c25de37130ebcd576c\System.Xml.Linq.ni.dll.aux sample.exe File opened for modification C:\Windows\Media\Calligraphy\Windows Print complete.wav sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\CONFIG\web_lowtrust.config sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsn.dll sample.exe File opened for modification C:\Windows\SoftwareDistribution\PostRebootEventCache\{CD35D76E-B003-4461-B93C-D47630C7AF32}.bin sample.exe File opened for modification C:\Windows\assembly\pubpol42.dat sample.exe File opened for modification C:\Windows\assembly\NativeImages_v2.0.50727_64\System.Drawing\5910828a337dbe848dc90c7ae0a7dee2\System.Drawing.ni.dll sample.exe File opened for modification C:\Windows\Fonts\BELLI.TTF sample.exe File opened for modification C:\Windows\inf\ramdisk.PNF sample.exe File opened for modification C:\Windows\Microsoft.NET\assembly\GAC_32\mscorlib\v4.0_4.0.0.0__b77a5c561934e089\mscorlib.dll sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\Config\web_minimaltrust.config.default sample.exe File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Shell-WinIP-Package~31bf3856ad364e35~amd64~hu-HU~7.1.7601.16492.cat sample.exe File opened for modification C:\Windows\assembly\GAC_MSIL\Policy.11.0.office\14.0.0.0__71e9bce111e9429c\Policy.11.0.office.config sample.exe File opened for modification C:\Windows\Fonts\ega40737.fon sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles\Security\Users\App_LocalResources\findUsers.aspx.resx sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v4.0.30319\System.EnterpriseServices.tlb sample.exe File opened for modification C:\Windows\servicing\Packages\Microsoft-Windows-Printer-Drivers-Package~31bf3856ad364e35~amd64~en-US~6.1.7601.17514.cat sample.exe File opened for modification C:\Windows\servicing\Packages\Win8IP-Microsoft-Windows-DownlevelApisets-Com-WinIP-Package~31bf3856ad364e35~amd64~ja-JP~7.1.7601.16492.cat sample.exe File opened for modification C:\Windows\assembly\GAC_32\ehexthost32\6.1.0.0__31bf3856ad364e35\ehexthost32.exe sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\System.Drawing.tlb sample.exe File opened for modification C:\Windows\Installer\$PatchCache$\Managed\1926E8D15D0BCE53481466615F760A7F\10.0.40219\F_CENTRAL_mfc100kor_x64 sample.exe File opened for modification C:\Windows\ehome\CreateDisc\Filters\AudioDepthConverter.ax sample.exe File opened for modification C:\Windows\Help\Windows\en-US\library.H1S sample.exe File opened for modification C:\Windows\Media\Heritage\Windows Logoff Sound.wav sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ASP.NETWebAdminFiles\Images\image1.gif sample.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MUI\0409\mscorsecr.dll sample.exe -
NTFS ADS 3 IoCs
description ioc Process File opened for modification C:\Users\Admin\Documents\My Music\ꡀ眡ʺÿC:\Users\Admin\Documents\WaitLock.txt sample.exe File opened for modification C:\Users\Admin\Documents\My Pictures\ꡀ眡ʺÿC:\Users\Admin\Documents\WaitLock.txt sample.exe File opened for modification C:\Users\Admin\Documents\My Videos\ꡀ眡ʺÿC:\Users\Admin\Documents\WaitLock.txt sample.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
pid Process 1640 sample.exe 1640 sample.exe 1640 sample.exe 1640 sample.exe 1640 sample.exe 1640 sample.exe 1640 sample.exe 1640 sample.exe 1640 sample.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1640 wrote to memory of 1208 1640 sample.exe 27 PID 1640 wrote to memory of 1208 1640 sample.exe 27 PID 1640 wrote to memory of 1208 1640 sample.exe 27 PID 1640 wrote to memory of 1208 1640 sample.exe 27 PID 1208 wrote to memory of 1280 1208 cmd.exe 29 PID 1208 wrote to memory of 1280 1208 cmd.exe 29 PID 1208 wrote to memory of 1280 1208 cmd.exe 29 PID 1208 wrote to memory of 1280 1208 cmd.exe 29 PID 1280 wrote to memory of 1236 1280 net.exe 30 PID 1280 wrote to memory of 1236 1280 net.exe 30 PID 1280 wrote to memory of 1236 1280 net.exe 30 PID 1280 wrote to memory of 1236 1280 net.exe 30 PID 1640 wrote to memory of 1972 1640 sample.exe 31 PID 1640 wrote to memory of 1972 1640 sample.exe 31 PID 1640 wrote to memory of 1972 1640 sample.exe 31 PID 1640 wrote to memory of 1972 1640 sample.exe 31 PID 1640 wrote to memory of 1952 1640 sample.exe 33 PID 1640 wrote to memory of 1952 1640 sample.exe 33 PID 1640 wrote to memory of 1952 1640 sample.exe 33 PID 1640 wrote to memory of 1952 1640 sample.exe 33 PID 1640 wrote to memory of 1728 1640 sample.exe 35 PID 1640 wrote to memory of 1728 1640 sample.exe 35 PID 1640 wrote to memory of 1728 1640 sample.exe 35 PID 1640 wrote to memory of 1728 1640 sample.exe 35 PID 1640 wrote to memory of 1768 1640 sample.exe 37 PID 1640 wrote to memory of 1768 1640 sample.exe 37 PID 1640 wrote to memory of 1768 1640 sample.exe 37 PID 1640 wrote to memory of 1768 1640 sample.exe 37 PID 1768 wrote to memory of 1700 1768 cmd.exe 39 PID 1768 wrote to memory of 1700 1768 cmd.exe 39 PID 1768 wrote to memory of 1700 1768 cmd.exe 39 PID 1768 wrote to memory of 1700 1768 cmd.exe 39 PID 1700 wrote to memory of 1628 1700 net.exe 40 PID 1700 wrote to memory of 1628 1700 net.exe 40 PID 1700 wrote to memory of 1628 1700 net.exe 40 PID 1700 wrote to memory of 1628 1700 net.exe 40 PID 1640 wrote to memory of 1464 1640 sample.exe 41 PID 1640 wrote to memory of 1464 1640 sample.exe 41 PID 1640 wrote to memory of 1464 1640 sample.exe 41 PID 1640 wrote to memory of 1464 1640 sample.exe 41 PID 1464 wrote to memory of 1484 1464 cmd.exe 43 PID 1464 wrote to memory of 1484 1464 cmd.exe 43 PID 1464 wrote to memory of 1484 1464 cmd.exe 43 PID 1464 wrote to memory of 1484 1464 cmd.exe 43 PID 1484 wrote to memory of 1716 1484 net.exe 44 PID 1484 wrote to memory of 1716 1484 net.exe 44 PID 1484 wrote to memory of 1716 1484 net.exe 44 PID 1484 wrote to memory of 1716 1484 net.exe 44 PID 1640 wrote to memory of 1588 1640 sample.exe 45 PID 1640 wrote to memory of 1588 1640 sample.exe 45 PID 1640 wrote to memory of 1588 1640 sample.exe 45 PID 1640 wrote to memory of 1588 1640 sample.exe 45 PID 1588 wrote to memory of 1660 1588 cmd.exe 47 PID 1588 wrote to memory of 1660 1588 cmd.exe 47 PID 1588 wrote to memory of 1660 1588 cmd.exe 47 PID 1588 wrote to memory of 1660 1588 cmd.exe 47 PID 1660 wrote to memory of 328 1660 net.exe 48 PID 1660 wrote to memory of 328 1660 net.exe 48 PID 1660 wrote to memory of 328 1660 net.exe 48 PID 1660 wrote to memory of 328 1660 net.exe 48 PID 1640 wrote to memory of 1812 1640 sample.exe 49 PID 1640 wrote to memory of 1812 1640 sample.exe 49 PID 1640 wrote to memory of 1812 1640 sample.exe 49 PID 1640 wrote to memory of 1812 1640 sample.exe 49
Processes
-
C:\Users\Admin\AppData\Local\Temp\sample.exe"C:\Users\Admin\AppData\Local\Temp\sample.exe"1⤵
- Drops file in Drivers directory
- Drops startup file
- Drops desktop.ini file(s)
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSDTC2⤵
- Suspicious use of WriteProcessMemory
PID:1208 -
C:\Windows\SysWOW64\net.exenet stop MSDTC3⤵
- Suspicious use of WriteProcessMemory
PID:1280 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSDTC4⤵PID:1236
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} bootstatuspolicy ignoreallfailures2⤵PID:1972
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c bcdedit /set {default} recoveryenabled no2⤵PID:1952
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c wbadmin delete catalog -quiet2⤵PID:1728
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLSERVERAGENT2⤵
- Suspicious use of WriteProcessMemory
PID:1768 -
C:\Windows\SysWOW64\net.exenet stop SQLSERVERAGENT3⤵
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLSERVERAGENT4⤵PID:1628
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵
- Suspicious use of WriteProcessMemory
PID:1464 -
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵
- Suspicious use of WriteProcessMemory
PID:1484 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵PID:1716
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop vds2⤵
- Suspicious use of WriteProcessMemory
PID:1588 -
C:\Windows\SysWOW64\net.exenet stop vds3⤵
- Suspicious use of WriteProcessMemory
PID:1660 -
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop vds4⤵PID:328
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh advfirewall set currentprofile state off2⤵PID:1812
-
C:\Windows\SysWOW64\netsh.exenetsh advfirewall set currentprofile state off3⤵PID:1796
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c netsh firewall set opmode mode=disable2⤵PID:844
-
C:\Windows\SysWOW64\netsh.exenetsh firewall set opmode mode=disable3⤵PID:968
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLWriter2⤵PID:616
-
C:\Windows\SysWOW64\net.exenet stop SQLWriter3⤵PID:520
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLWriter4⤵PID:1372
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop SQLBrowser2⤵PID:1108
-
C:\Windows\SysWOW64\net.exenet stop SQLBrowser3⤵PID:1800
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop SQLBrowser4⤵PID:1740
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQLSERVER2⤵PID:1236
-
C:\Windows\SysWOW64\net.exenet stop MSSQLSERVER3⤵PID:1956
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQLSERVER4⤵PID:1456
-
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c net stop MSSQL$CONTOSO12⤵PID:1952
-
C:\Windows\SysWOW64\net.exenet stop MSSQL$CONTOSO13⤵PID:1696
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 stop MSSQL$CONTOSO14⤵PID:1628
-
-
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\Decrypt-me.txt1⤵PID:1208
Network
-
Remote address:8.8.8.8:53Requestapi.my-ip.ioIN AResponseapi.my-ip.ioIN A157.245.5.40
-
Remote address:157.245.5.40:443RequestGET /ip HTTP/1.1
Host: api.my-ip.io
Accept: */*
ResponseHTTP/1.1 200 OK
Server: nginx
Date: Fri, 28 May 2021 17:48:34 GMT
Content-Type: text/plain; charset=utf-8
Content-Length: 12
Connection: keep-alive
Cache-Control: no-store,no-cache
Pragma: no-cache
X-IP-Type: IPv4
-
Remote address:8.8.8.8:53Requestx1.c.lencr.orgIN AResponsex1.c.lencr.orgIN CNAMEcrl.root-x1.letsencrypt.org.edgekey.netcrl.root-x1.letsencrypt.org.edgekey.netIN CNAMEe8652.dscx.akamaiedge.nete8652.dscx.akamaiedge.netIN A104.73.131.204
-
Remote address:104.73.131.204:80RequestGET / HTTP/1.1
Connection: Keep-Alive
Accept: */*
User-Agent: Microsoft-CryptoAPI/6.1
Host: x1.c.lencr.org
ResponseHTTP/1.1 200 OK
Server: nginx
Content-Type: application/pkix-crl
Last-Modified: Fri, 04 Sep 2020 00:34:32 GMT
ETag: "5f518b98-2cd"
Cache-Control: max-age=3600
Expires: Fri, 28 May 2021 18:48:34 GMT
Date: Fri, 28 May 2021 17:48:34 GMT
Content-Length: 717
Connection: keep-alive
-
946 B 5.7kB 11 11
HTTP Request
GET https://api.my-ip.io/ipHTTP Response
200 -
-
-
350 B 2.2kB 5 4
HTTP Request
GET http://x1.c.lencr.org/HTTP Response
200 -
152 B 3